Same as  Issue 738747  which was "Won't Fixed"

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Guessing https://chromium.googlesource.com/chromium/src/+/7d0f75c321cae8a33f60fd291157d4c5d3fa9d01 based on regression range (although a pretty wild guess).

qyeasley, could you take a quick peek to either confirm or rule out your CL?  Feel free to bounce this back to me if it is unrelated.  Thanks.

Definitely looks related to my CL (since it involves unicode characters outside of the BMP in an element with "-webkit-text-security: disc").

I'll start to investigate this today and update this bug.

Ran out of time today, will update tomorrow.

I've reproduced this, and simplified the test case (attached), but it's still pretty tricky and I haven't yet figured out what's actually going on.

Deleted: bug-751193-testcase-simplified.html 988 bytes

bug-751193-testcase-simplified.html 988 bytes View Download

[Bulk Edit]
URGENT - PTAL.
Your bug is labelled as M61 Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP.

Know that this issue shouldn't block the release?  Remove the ReleaseBlock-Stable label.

Thank you.

I'm not actually clear about the security implications of this, and I think it's not *just* related to my change.

Update on debugging this: I've now further simplified the reproducing test case:

<style>
  #textareaElement {
    -webkit-appearance: radio;
    -webkit-text-security: disc;
  }
</style>
<textarea id="textareaElement"></textarea>
<script>
let counter = 0;
textareaElement.select();
for (let i = 0; i < 5; i++) {
  console.log('iteration', i, 'value', textareaElement.value);
  var myString = String.fromCharCode(
    0xAC00,  // Character in Hangul syllable block
    0x11B0,  // Character in Hangul Jamo block
    0x78, 0x78);  // Two more characters
  document.execCommand("insertText", false, myString);
}
</script>

Which yields:
iteration 0 value 
iteration 1 value 갉xx
iteration 2 value 갉x갉xx
iteration 3 value 갉x갉갉xx
iteration 4 value 갉x갉갉xx갉xx
[CRASH]

But I still don't understand what's happening. I think it has something to do with combining characters.

kojii@, do you have any hints or ideas about what I might look at next?

Update: I don't *think* this should block the release, but I'm not sure, so I'll check if reverting my change fixes the issue, and if so, I'll revert.

Just verified that after reverting my change, the crash doesn't occur. Made revert CL https://chromium-review.googlesource.com/c/611387.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d280c9c1fd90b3e85249092452c6cfa2fff48340

commit d280c9c1fd90b3e85249092452c6cfa2fff48340
Author: Quinten Yearsley <qyearsley@google.com>
Date: Fri Aug 11 18:08:50 2017

Revert "In password fields, show one dot per grapheme cluster."

This reverts commit 7d0f75c321cae8a33f60fd291157d4c5d3fa9d01.

Reason: This change introduced a potential security risk,
wherein inserting particular strings of characters into a
text field could cause a DCHECK failure in
TextRunConstructor.cpp.

It should be relanded once it can be verified that it
doesn't cause a problem like  https://crbug.com/751193 .

Bug:  751193 , 486880
Change-Id: Iaa0c603ec1ee53fc3d093e392b2a27b778f8bb94
Reviewed-on: https://chromium-review.googlesource.com/611387
Reviewed-by: Emil A Eklund <eae@chromium.org>
Commit-Queue: Emil A Eklund <eae@chromium.org>
Cr-Commit-Position: refs/heads/master@{#493809}
[delete] https://crrev.com/0f2c5ddcaba532562888e6effb626c64b9064b4b/third_party/WebKit/LayoutTests/fast/forms/password-length-emoji-expected.html
[delete] https://crrev.com/0f2c5ddcaba532562888e6effb626c64b9064b4b/third_party/WebKit/LayoutTests/fast/forms/password-length-emoji.html
[modify] https://crrev.com/d280c9c1fd90b3e85249092452c6cfa2fff48340/third_party/WebKit/Source/core/layout/LayoutText.cpp

ClusterFuzz has detected this issue as fixed in range 493793:493842.

Detailed report: https://clusterfuzz.com/testcase?key=6041811809468416

Fuzzer: ifratric-browserfuzzer-v3
Job Type: windows_asan_chrome
Platform Id: windows

Crash Type: Security DCHECK failure
Crash Address: 
Crash State:
  offset + length <= text.TextLength() in TextRunConstructor.cpp
  blink::ConstructTextRun
  blink::BreakingContext::HandleText
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=482442:482493
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=493793:493842

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6041811809468416

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6041811809468416 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug requires manual review: Reverts referenced in bugdroid comments after merge request.
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), ketakid@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

+awhalley@ for M61 merge review.

govind@ - good for 61

Approving merge to M61 branch 3163 based on comment #23. Please merge ASAP. Thank you.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f83b3fa59417998a87c4ea62cda4b893de690532

commit f83b3fa59417998a87c4ea62cda4b893de690532
Author: Quinten Yearsley <qyearsley@google.com>
Date: Mon Aug 14 20:36:19 2017

Revert "In password fields, show one dot per grapheme cluster."

This reverts commit 7d0f75c321cae8a33f60fd291157d4c5d3fa9d01.

Reason: This change introduced a potential security risk,
wherein inserting particular strings of characters into a
text field could cause a DCHECK failure in
TextRunConstructor.cpp.

It should be relanded once it can be verified that it
doesn't cause a problem like  https://crbug.com/751193 .

TBR=qyearsley@google.com

(cherry picked from commit d280c9c1fd90b3e85249092452c6cfa2fff48340)

Bug:  751193 , 486880
Change-Id: Iaa0c603ec1ee53fc3d093e392b2a27b778f8bb94
Reviewed-on: https://chromium-review.googlesource.com/611387
Reviewed-by: Emil A Eklund <eae@chromium.org>
Commit-Queue: Emil A Eklund <eae@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#493809}
Reviewed-on: https://chromium-review.googlesource.com/614397
Reviewed-by: Quinten Yearsley <qyearsley@chromium.org>
Cr-Commit-Position: refs/branch-heads/3163@{#552}
Cr-Branched-From: ff259bab28b35d242e10186cd63af7ed404fae0d-refs/heads/master@{#488528}
[delete] https://crrev.com/d8be0b2d6059b892ee8b7e1209bfbe5ecce8021e/third_party/WebKit/LayoutTests/fast/forms/password-length-emoji-expected.html
[delete] https://crrev.com/d8be0b2d6059b892ee8b7e1209bfbe5ecce8021e/third_party/WebKit/LayoutTests/fast/forms/password-length-emoji.html
[modify] https://crrev.com/f83b3fa59417998a87c4ea62cda4b893de690532/third_party/WebKit/Source/core/layout/LayoutText.cpp

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot